[Owasp-board] You OK?

dinis cruz dinis.cruz at owasp.org
Thu Sep 24 12:47:28 UTC 2009

Hi Rex, Doug and Mark (CCing the OWASP board)
I think we're getting there on how to handle our OWASP leaders.

Just a couple extra comments below, but please don't take any of this
personally. ALL of us (in the Board) have been personally responsible for
organizing Conferences (and Summit) and know exactly what you are going
through (long hours, lack of feedback, ideas thrown at the last minutes,
problems after problems after problems (from the smallest one to the massive
ones (remember Tom's problem in NYC with having to find a new venue with
weeks to go before the conference?))

2009/9/23 Rex Booth, OWASP <rex.booth at owasp.org>

> Dinis,
> If chapter leads get in for free, we can transfer the cost of each ticket
> to the OWASP foundation.  If that's what you and the rest of the Board
> expect, then we can comply.  Please confirm that the rest of the Board
> agrees with this approach and we'll send out an announcement.

I will get back to you with a an action plan on how we should implement this
(I have a couple extra questions which I will send to you 3 directly)

> With all due respect, however, I'm not OK at all with how this is being
> handled.  The selective involvement of the Board has been more of a
> hindrance than a help thus far.  We have reached out multiple times to the
> Board to solicit expectations and involve you in planning, but with no
> reply.

You have a very good point here, and in an ideal world we would all be more
involved with this conference. THAT SAID, I would argue that the reason the
board is not more involved is because you guys are doing such a GREAT JOB :)

The way I look at it we (Board and Committees) have to redirect our energy
to the areas where we can have more impact, and (at least from my point of
view) this conference looks really good and is going on the right direction.
So no really need to be involved (until now :)  )

Regarding the lack of feedback, well 'join the club mate', that is the rules
of the game :)

It is very hard to get real feedback because people tend to be very busy and
most of the time, the issues can't be dealt with a 10m email/call. As a
personal example I have spent quite a number of hours on this 'OWASP Leaders
to attend the conference'.

The other item I would like to call your attention to (and please note that
this is a BIG COMPLIMENT to you 3) is that this is the 1st US AppSec
conference that is NOT being organized by a Board Member. And I think that
this is GREAT!! Again it shows how much control and quality you have that we
don't need to be that involved (even if it is our of our most
profit-generating events)

Now does this mean that sometimes you get hit by a bust of 'energy' when one
of us has some time to address a particular issue? Yes, and I think that as
long as the issues are relevant and important, then it is just the way the
system works (remember that we (like you) have days jobs (in addition to the
other OWASP activities we are all involved in)

>  This is a conference which will be over a year in the making - an event
> which should exceed all previous OWASP events, but it's being treated as if
> it were a house party where "there's no harm in inviting a few more
> friends."

Regarding your efforts, I don't think we have any issues with it. And it is
a great sign of maturity for OWASP that we are able to organize these type
of events with such advanced time.

That said, I do take an issue with you 'house party' comment, and would like
to (gently :)  ) remind you that this is an OWASP event that is only
possible due to OWASP's leaders hard work, unpaid hours and talent.

To be honest the main reason I decided to 'create this mess' (sorry again
for not intervening sooner) is because I felt that this issue was VERY
IMPORTANT to our community and (ironically) the more successful our
conferences become, the more important this is.

Just think about this, how would you fell if you (or Doug or Mark) wanted to
attend the next major OWASP conference in the US or Europe at your own
travel and accommodation cost, and after all the hundred hours you spent
organizing this years conference, OWASP would still ask you to pay for it?
 I don't think you will be happy!

Regarding the 'house party' concept, maybe you don't like it, but I quite
like the idea that our OWASP conferences are places where our leaders are
very welcomed and treaded as special guests (again, they are the ones that

I think the fundamental problem here is that you 3 are VERY focused on this
event, and that is great. Our job (in the board) is to keep an eye on the
big picture, and here is where we had our 'little clash'

 I have yet to see a single public email from a Board member expressing
> unconditional support for this event.  And worse, instead of support, you
> not only publicly question our approaches, but also also ask David Campbell
> to resurrect a discussion that should have been kept private in the first
> place.

This is a tough one, since I (and probably the other Board members) were not
aware that you guys felt that 'isolated' (again I viewed it as a MASSIVE
compliment to you the fact that the Board was not involved). That said, I
did include Jeff's quote on my email , and when I send out the rules of
engagement for the Leaders participation on this conference I will again
mention the OWASP Board support.

One comment on the practicality of those show of support (remember that we
have dozens of OWASP conferences per year now, so it is not THAT practical
to issue a 'show of public support' for all of them), traditionally we only
done that ('show of public support') when there is an 'authority problem'
and the organizers fell that they need more 'board support' for what they
are trying to do . But that is not the case here, right? Apart from the
current issue, as there been any show-stoppers or big problems that could
had been made easier with more OWASP Board involvement?

Regarding David Campbell email, It's my fault since I was under the (wrong)
impression that you guys were on board with that concept, and felt that his
comments were a good justification of why OWASP needs to support its leaders
(I quite like his point on "...*Paying** to get in may be a dealbreaker for
chapter leaders who are overdrawn on the "emotional bank account" that is
OWASP..." *

> I don't pretend to have all the answers when it comes to conference
> planning, but I do know that Doug, Mark and I are the ones who have sunk
> hundreds and hundreds of man-hours into this event.  If you want to be
> involved, we'd welcome you to the team.  But what we don't need is armchair
> quarterbacking from the bleachers.

Rex, I hope that my explanations (and efforts on addressing this issue)
helps you to understand why I felt I had to 'push' this change. I will
disagree that this is a* "... armchair quarterbacking from the bleachers..."
*issue. This goes to the heard of OWASP's community and that is why I acted
the way I did.

As you know, there are TONS of other issues that you guys need to deal with,
and on a lot of those, I will argue with you that before one makes comments
or suggestions, one should: a) do the homework or b) be involved earlier on

Again, please don't take this personally, I have the most respect and
understanding of what you guys are doing there (remember that me and Paulo
were up to our necks with the Summit last year), so i REALLY think you are
going a great job and look forward to attending the conference.


Dinis Cruz

> Rex
> ...copying my colleagues to keep them in the loop.
> dinis cruz wrote:
>> Hey Rex (email just to you)
>> Just wanted to make sure you are OK with that 'OWASP Leaders to attend the
>> conference for free' thread?
>> Like David Campbell mentions on his last email, if there is an extra cost,
>> and if you are able to calculated it, we can move that 'cost' into the OWASP
>> mothership, so that it doesn't affect the finances of the Conference
>> Sorry for being a pain and for giving you extra work
>> Dinis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20090924/28266c68/attachment-0002.html>

More information about the Owasp-board mailing list